Securing those DevicesFor IT, there are a few key challenges related to BYOT implementation. These revolve around managing and securing mobile devices and entailed costs. Here, we’ll look at some of the common snags.
So Many Devices, So Little TimeAs we’ve already discussed, one of the first steps in setting up BYOT is establishing employee and device policies. Then, it’s up to the IT department to monitor these devices on an ongoing basis. Policies should also be tweaked as required to meet an organization’s real-world needs. This can be accomplished through the use of any one of a number of mobile device management (MDM) software suites. But this is just the beginning. IT must also decide how heavily to govern employees’ use of their mobile devices. In many cases, this will depend on the organization’s needs and the industry in which they are operating. Here are some of the options:
1. Locking Down DevicesThis means that users can’t switch apps, change configuration settings or modify email accounts. Access to non-corporate wireless networks may also be prohibited. This is the most secure option, but it’s also the least useful for many employees. It also seems to defeat the whole purpose of BYOT. Imagine the conversation with the employee who just plunked down $500+ for a new iPhone, only to be told that he can’t use the majority of its functionality. While locking down is always the easiest from a security perspective, it is becoming much less practical.
2. Restricting PurchasesThis limits the mobile apps and other content the device can download.
3. Restricting ContentThis limits the content a device can access, perhaps blocking social media or video websites. This might be an appropriate security tool for devices that customers might see, such as those used in sales.
4. Allowing Preconfigured SettingsThis is a more permissive model, where devices automatically configure corporate services and accounts such as VPNs, user emails and Wi-Fi. This gets users up and running in an efficient way.
5. Applying Message/Roaming RestrictionsThis type of management is especially important when a company is footing the employee’s wireless bill. This ensures that when employees use their phones to call home on vacation, the company doesn’t take the hit in terms of roaming charges. Be careful though. While no company wants to pay for roaming while an employee is vacationing in Mexico, you definitely don’t want to cut off all access to your boss when he heads to London for that big meeting.
6. Enforcing the Use of Pre-Installed AppsIf only pre-installed apps are allowed, this can prevent issues with downloading malware in apps or even just improve productivity by ensuring company devices aren’t loaded with time-sucking games and other non work-related programs.
7. Imposing Synchronization RestrictionsThis limits the computers and services a device can turn to for backup, which helps prevent employees from creating company data backups (thus preventing data loss).
8. Setting up Secure AccessThis is the configuration of security services to ensure that data is securely uploaded/downloaded. This could mean VPN, as well as secure socket layer (SSL) certification.
9. Creating a Dedicated Corporate ContainerThis involves creating an encrypted data store on devices, so that even compromised devices are afforded some protection.
10. Enabling Business Cloud ServiceThe device is preconfigured to provide access to company-managed cloud services and applications.
11. Disabling Personal Cloud ServiceThis entails allowing employees to access cloud services for work applications but not for personal use. While this may be desirable in terms of productivity, this level of security is not likely to be possible in employee owned devices.
12. Location Data RestrictionsThis prevents a device from using location services or accessing apps that work with location data. This is a difficult challenge because apps increasingly use location-based data.
13. Enabling Virtual DesktopsThis involves providing access to company data through a secure virtual desktop. This is a good measure for any field where security is paramount.
Part of the issue with all these restrictions is they are eerily similar to restrictions placed on company-owned technology. This is why corporate BYOT policies are so important. After all, no company is going to allow a free-for-all that puts its corporate data at risk. Some of these policies include placing employee limitations on BYOT and educating employees on security best-practices. So, a company might restrict employee work devices and educate employees on their responsibilities, in terms of safeguarding, updating and applying bug patches to these devices. This isn’t a foolproof security strategy, but it does help reduce some of BYOT's major risks.
Centralized controls, whereby employees agree to allow employers some measure of control to wipe their devices under certain circumstances and locking down access to data, is another practical option. Rather than allowing data to exist on a number of separate devices, data centralization may involve the use of virtual desktops. This allows data to be processed and stored in a centralized location, while security settings indicate data that may be read and/or updated by employees.